View Issue Details

IDProjectCategoryView StatusLast Update
0028552mantisbtsecuritypublic2021-06-17 12:41
ReporterFeras Assigned Todregad  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Target Version2.25.2Fixed in Version2.25.2 
Summary0028552: CVE-2021-33557: XSS in manage_custom_field_edit_page.php
Description

I noticed that there is a wrong sanitizer can lead to XSS.

in file manage_custom_field_edit_page.php

// In line 57
$f_return   = strip_tags( gpc_get_string( 'return', 'manage_custom_field_page.php' ) );

// In line 90
<input type="hidden" name="return" value="<?php echo $f_return ?>" />

Here if the input was (" onfocus="alert(1)" autofocus=") then alert will be executed.
The source: https://security.stackexchange.com/questions/97550/how-to-launch-xss-code-from-an-input-html-tag-upon-page-load

Originally reported by @Feras in ~65513

TagsNo tags attached.

Activities

dregad

dregad

2021-05-15 06:08

developer   ~0065518

I am not able to reproduce with the given indications. As far as I know, hidden inputs can't get focus [1], but there may be other ways to trigger code execution.

This return parameter does not seem to be used anywhere in the code, looks like a leftover from a very old change (see MantisBT master 81ad05d4).

So I'm thinking it is probably best to simply get rid of it, rather than add a string_attribute() call.

Feras

Feras

2021-05-15 08:03

reporter   ~0065522

Thank you for opening a new issue.

I checked the current case and it is true that it is not possible to work with the hidden input.

But there is a case that attacker can play around when he pass with ┬┤return┬┤ with this value " accesskey="Y" onclick="alert(1)" autofocus="

link example: http://localhost/mantisbt-2.25.1/manage_custom_field_edit_page.php?field_id=1&return=" accesskey="Y" onclick="alert(1)" autofocus="

Then we will have this line in the html page

<input type="hidden" name="return" value="" accesskey="Y" onclick="alert(1)" autofocus="" />

And if the attacker ask the user to press Alt + shift + Y. Then the script will be executed.

Note1: It works for me on Firefox but it is not working on Chrome.

Note2: We still have the CSP as a second protection.

dregad

dregad

2021-05-15 09:30

developer   ~0065523

@Feras I'm going to request a CVE for this issue, how would you like to be credited for the finding ?

dregad

dregad

2021-05-16 06:54

developer   ~0065528

I sent the CVE request form, will update the issue when I hear back from MITRE.

Until then, please find attached a patch that should address the vulnerability.

This return parameter does not seem to be used anywhere in the code, looks like a leftover from a very old change

This will be reintroduced as part of 0028557

0001-Fix-XSS-on-manage_custom_field_edit_page.php.patch (1,322 bytes)   
From e1667bf81c9cc49738df467bc55ef68049357917 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Sat, 15 May 2021 15:43:09 +0200
Subject: [PATCH] Fix XSS on manage_custom_field_edit_page.php

Thanks to Feras AL-KASSAR (SAP) <en.feras@hotmail.com> who reported
this vulnerability, which was discovered in the context of the EU
research project TESTABLE.

Unescaped output of 'return' parameter allows an attacker to inject code
into a hidden input field in the manage-custom-field-update-form.

Fixes #28552, CVE-xxx
---
 manage_custom_field_edit_page.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/manage_custom_field_edit_page.php b/manage_custom_field_edit_page.php
index 02126294f..743d92fed 100644
--- a/manage_custom_field_edit_page.php
+++ b/manage_custom_field_edit_page.php
@@ -87,7 +87,7 @@ $t_definition = custom_field_get_definition( $f_field_id );
 	<fieldset>
 		<?php echo form_security_field( 'manage_custom_field_update' ); ?>
 		<input type="hidden" name="field_id" value="<?php echo $f_field_id ?>" />
-		<input type="hidden" name="return" value="<?php echo $f_return ?>" />
+		<input type="hidden" name="return" value="<?php echo string_attribute( $f_return ); ?>" />
 
 <table class="table table-bordered table-condensed table-striped">
 	<tr>
-- 
2.25.1

dregad

dregad

2021-05-25 02:46

developer   ~0065564

CVE-2021-33557 assigned.

dregad

dregad

2021-06-04 11:51

developer   ~0065596

For some reason MITRE assigned a 2nd CVE ID to this issue: CVE-2021-33812. I wrote to them so it gets flagged as duplicate and cancelled.

Related Changesets

MantisBT: master-2.25 03dd3722

2021-05-15 09:43:09

dregad

Details Diff
Fix XSS on manage_custom_field_edit_page.php

Thanks to Feras AL-KASSAR (SAP) <en.feras@hotmail.com> who reported
this vulnerability, which was discovered in the context of the EU
research project TESTABLE.

Unescaped output of 'return' parameter allows an attacker to inject code
into a hidden input field in the manage-custom-field-update-form.

Fixes 0028552, CVE-2021-33557
Affected Issues
0028552
mod - manage_custom_field_edit_page.php Diff File